In view of the recent LinkedIn breach, would anyone care to review my data access routines relating to user access?
This is a standard node.js module, accessing a Postgres database.
(function () {
'use strict';
var crypto = require('crypto'),
hash = function (pass, salt) {
var h = crypto.createHash('sha512');
h.update(pass);
h.update(salt);
return h.digest('base64');
};
module.exports.getUser = function (conn, email, password, callback) {
conn.query({
name: 'getUser',
text: 'SELECT "id", "passwordHash" FROM "user" WHERE "email" = $1 LIMIT 1',
values: [email]
}, function (err, result) {
if (err) {
throw err;
}
if (result.rows.length === 0) {
callback(null);
} else {
var newHash = hash(password, email),
row = result.rows[0];
if (row.passwordHash === newHash) {
callback({id: row.id, email: email});
} else {
callback(null);
}
}
});
};
module.exports.addUser = function (conn, email, password, callback) {
var newHash = hash(password, email);
conn.query({
name: 'addUser',
text: 'INSERT INTO "user" ("email", "passwordHash") VALUES ($1, $2) RETURNING "id"',
values: [email, newHash]
}, function (err, result) {
var id;
if (err) {
console.error(err);
callback(null);
} else {
id = result.rows[0].id;
callback({id: id, email: email});
}
});
};
}());
bits(password+salt) > bits(hash())– Bill Barry Jun 6 '12 at 14:33h.update(pass); h.update(salt);, I should also addh.update(<secret-guid>);– stusmith Jun 6 '12 at 15:07